Dan Walsh's Blog

Got SELinux?

Some History------------I have lived the Unix wars over the past 20 years. I worked on Project Athena back at Digital Equipment (DEC) in the late 1980's and rememberall the effort that it took to make it work on multiple UNIX versions.

We had the best technology at the time. MIT and DEC had awesometechnology including instant messaging (Zephyr), security (Kerberos),distributed management (Moira), secure file systems with Kerberized NFSand AFS, shared name service via DNS and Hesiod, and a network windowingsystem (X). You could walk up to any machine and log in and have thesame environment. We had single sign-on. We had universities working onthe product. It was a perfect system. But then we decided it need to runon multiple different Unixes. We spent untold dollars making it work.The problem was instead of improving the overall product, we spent allof our time dealing with differences between the platforms. During this time Microsoft was developing NT group-ware products and ended upblowing us out of the water. The Unix wars had destroyed a greatproduct.

Linux consistency refocuses Unix developers-------------------------------------------After a few years of working on Microsoft platforms for managing security infrastructure on Unix and Non-Unix platforms, I came to Linux.Linux seemed to have corrected the problems of the UNIX wars. It wascommunity based, all vendors shared the same code and worked together tobuild a common platform. Sure, there were multiple competing layeredproducts, but almost all could run on all the different distributions.Third party vendors could fairly easily build to a single API and itworked on everyone's Linux.

Three years ago, I was asked to work on the SELinux Team at Red Hat to bring Mandatory Access Control to a mainstream operating system (OS).MAC had been attempted before but had always failed or became a one-offOS. OS vendors would ship the primary OS and then a "Trusted" version.This "Trusted" version would quickly become out of date as the maindevelopment efforts would always go into the primary OS and eventuallybe ported to the "Trusted" version.

With SELinux we decided we could do both at the same time, using the Open Source method, we could get multiple companies, and customersworking on it. We had some stumbles along the way, but through the useof the Fedora Core collaborative development process we came up with asingle OS that uses MAC and handles everything from your laptop to a thehighest levels of security specified by government.

Today we have great technology. We have many companies and government organizations collaboratively working on SELinux together, including RedHat, IBM, HP, NSA, DOD, Tresys, Trusted Computing Systems. We have asignificant open source community built around SELinux, colleges anduniversities contributing and doing experiments with it. We havemultiple distributions shipping with SELinux including Fedora Core(2,3,4 and soon 5), Red Hat Enterprise Linux 4, Gentoo, Debian, Ubuntu,Suse and Slackware.

Security Deja Vu----------------Everything seems to be going great, but ... Novell, who last yearclaimed to be the first Linux distribution to ship with SELinuxtechnology, suddenly announced that they are dropping support for it. Toreplace it, they bought a product called AppArmor and are now askingthird party developers to use it instead of SELinux. Is this thebeginning of the Unix wars all over again?

Not only is AppArmor divergent from upstream/community, but it is also not suitable as a real alternative to SELinux, because it lacks the flexibility and scalability of SELinux to address the full range of security concerns,and its limitations are not just in implementation but architectural.

Novell claims that AppArmor is easier to use for third parties. But now users and developers have to choose one or the other mechanism forproviding MAC, and ignore the other platform's security mechanism. Or dotwice as much work, to support both. Think back to the Project Athenaexample. Is this easier? Couldn't Novell have spent their money onmaking SELinux easier to use? No, Novel chooses to split the user anddeveloper community. I am not sure what their goals are, but I feel thishurts Linux and the open source movement. The community has now gotten SELinux to the point where "easier" is coming, but built upon a solid foundation.

My fear now is that the Linux OS community has given applicationdevelopers an excuse to support neither security infrastructure, becausesupporting either of them would prevent their product from running inthe other environment. So, for a developer, supporting neither SELinuxor AppArmor is the cheapest alternative, and maximizes the potentialcustomer base.

Instead of leveraging collaborative open source development to makeLinux the most secure operating system in the world, the now fragmentedLinux security community will be doing battle over who has the prettierGUI. And the ISV community will ignore us.

Conclusion-----------The best outcome would be to have Novell work with the SELinux/open source community to bring the benefits of AppArmor to the architecture/infrastucture that is SELinux. This collaboration would benefit the entire Linux community.